HIGH 7.2

CVE-2025-66273: QNAP Command Injection in QTS and QuTS hero

QNAP NAS systems running vulnerable versions of QTS and QuTS hero contain a command injection flaw that allows an authenticated administrator to execute arbitrary commands on the device. An attacker who obtains admin credentials—either through credential compromise, social engineering, or internal threat—can leverage this vulnerability to gain full control over the NAS, potentially accessing stored data, modifying configurations, or using the device as a pivot point into the network. The vulnerability requires valid administrative access, so it represents a privilege escalation or lateral movement risk rather than an unauthenticated remote attack.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-78
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-66273 is a command injection vulnerability (CWE-78) affecting QNAP QTS and QuTS hero operating systems. The flaw permits an authenticated administrator to inject and execute arbitrary system commands. With a CVSS v3.1 score of 7.2 (HIGH), the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H indicates network accessibility, high privilege requirement, no user interaction needed, and complete impact on confidentiality, integrity, and availability. QNAP has released patched versions across multiple OS families: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, h5.3.4.3500 build 20260520 and later, and h6.0.0.3397 build 20260206 and later.

Business impact

A successful exploitation allows complete compromise of an affected NAS device. An adversary with admin access can steal sensitive files stored on the NAS, corrupt or delete backups, modify access controls, install malware or ransomware, or use the NAS as a staging point for lateral network movement. For organizations relying on QNAP systems for centralized file storage, backup repositories, or media management, this creates immediate data confidentiality and integrity risks. The attack surface widens if administrative credentials are weak, shared, or leaked in credential breaches affecting other services.

Affected systems

The vulnerability affects QNAP QTS and QNAP QuTS hero operating systems across multiple versions released prior to the patches listed. Specifically vulnerable versions include QTS prior to 5.2.9.3410 build 20260214, and QuTS hero releases prior to h5.2.9.3410 build 20260214, h5.3.4.3500 build 20260520, or h6.0.0.3397 build 20260206 (depending on which QuTS hero branch is deployed). Organizations should verify their exact QNAP device model and current OS build to confirm exposure.

Exploitability

The vulnerability requires valid administrator credentials, which significantly limits opportunistic exploitation. However, exploitability increases substantially if administrative passwords are weak, reused across systems, exposed in breaches, or overprivileged. Once authenticated, the attack is straightforward and does not require user interaction. The network-accessible nature (AV:N) means an attacker can exploit it remotely if they obtain admin credentials. Insider threats and compromised admin accounts from phishing or credential stuffing represent the most realistic attack vectors.

Remediation

Immediately upgrade affected QNAP devices to the patched versions: QTS to 5.2.9.3410 build 20260214 or later, QuTS hero h5.x to the corresponding build 20260214 or later, h5.3.4 to build 20260520 or later, or h6.0.0 to build 20260206 or later. Before patching, enforce strong, unique administrator passwords and restrict administrative access to trusted network segments or VPN only. Review access logs for any unauthorized administrator logins.

Patch guidance

Download and apply the appropriate firmware update from QNAP's security advisory or firmware repository based on your device's OS version and build. Verify the build date matches or exceeds the patched builds listed (20260214, 20260520, or 20260206). Schedule patching during maintenance windows, as NAS firmware updates typically require a reboot. Test patches in a non-production environment first if possible. After patching, reboot the device and verify normal operation. Update any monitoring or backup jobs that may have been interrupted.

Detection guidance

Monitor QNAP administrative logs for suspicious command execution patterns, unusual shell activity, or commands executed through web interface or API endpoints. Alert on administrator login events from unexpected IP ranges or outside business hours. Use endpoint detection and response (EDR) or file integrity monitoring (FIM) to detect unauthorized modifications to system files or backup metadata. Check for evidence of command injection payloads in web server or application logs. Network segmentation and access controls can limit the impact of compromised admin accounts.

Why prioritize this

Although the CVSS score of 7.2 is elevated and the vulnerability allows complete system compromise, the requirement for administrator credentials significantly reduces the likelihood of widespread exploitation. Prioritize patching if: (1) your NAS is internet-accessible with weak or default admin credentials; (2) your administrator accounts have been exposed in credential breaches; (3) your organization has seen phishing or credential theft targeting QNAP admins; (4) the NAS holds sensitive or critical backup data. Organizations with strong password policies and network segmentation can patch within normal maintenance cycles; others should expedite.

Risk score, explained

The CVSS 7.2 score reflects the complete confidentiality, integrity, and availability impact once an attacker gains admin access, combined with network accessibility and ease of exploitation (low attack complexity). However, the high privilege requirement (PR:H) significantly mitigates overall risk in environments with strong credential management. The actual organizational risk depends on the likelihood of credential compromise and the criticality of the NAS to operations.

Frequently asked questions

Do we need to patch immediately if we have strong firewall rules blocking admin access?

Network segmentation reduces risk substantially. However, patching remains advisable because insider threats, VPN-based access, and credential compromise can still enable exploitation. Plan patching within your normal maintenance cycle, but do not defer indefinitely.

What if our QNAP NAS is running a version not listed in the advisory?

Verify your exact build number through the QNAP web interface (System Settings > Firmware). Cross-reference it against the patched versions published by QNAP. If your version is not explicitly mentioned, contact QNAP support or check their official security bulletins to confirm whether your build is vulnerable.

Can this vulnerability be exploited without physical access to the network?

Yes. The CVSS vector indicates network accessibility (AV:N), meaning an attacker with valid administrator credentials can exploit it remotely over the network. Internet-exposed QNAP devices or those accessible via VPN are at higher risk if admin passwords are weak or compromised.

What should we do if we suspect unauthorized administrator access on our QNAP?

Isolate the affected NAS from the network immediately, review administrative audit logs for suspicious activity or command execution, preserve logs for forensics, change all administrator passwords, and check whether any data was exfiltrated or modified. After patching and securing credentials, restore the device to service and implement enhanced monitoring.

This analysis is provided for informational purposes by SEC.co and does not constitute professional security advice. Verify all patch version numbers and affected systems against the official QNAP security advisory and your device configuration before taking action. Organizations should conduct their own risk assessment based on their specific environment, network architecture, and data criticality. SEC.co does not warrant the completeness or accuracy of this analysis and assumes no liability for actions taken or not taken based on this content. Consult with your security team and vendor advisories for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).